fault.920
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Fault.9209
It is a dangerous memory resident parasitic virus. While executing an infected file the virus checks the processor number and mode, and returns to the host program if the processor is not i386 or better, or the system is not in the real mode. If the processor is in real mode, the virus copies itself to the XMS memory and to the block of conventional memory, switches the processor to protect mode, and stays memory resident. Staring from that moment the DOS is working in V86 mode.
The memory resident virus consists of two copies. The first TSR copy is placed in conventional memory, and installation procedure of that code looks as installation procedure of "Jerusalem" viruses. This copy does not hook any interrupt vectors, but is hot hidden in the system memory in any way - the corresponding block is visible by using any memory browser. The virus uses that copy to infect the files, and calls it from the second TSR copy.
The second virus TSR copy is placed in XMS memory. As a supervisor it hooks all interrupts calls, and on INT 21h calls FindFirst/Next FCB (AH=11h, 12h) calls the first virus TSR copy (DOS copy) to infect the EXE files that are accessed.
The virus has the bugs and halts the system in lot of cases. If a program is performing a function that is not i8086 specific, the virus displays one of the messages and halts the system:
General Protection Fault. Halting system!
Unimplemented Fault. Halting system!
Copyright @2006 fault.920